search

tempesta-tech / tempesta

All-in-one solution for high performance web content delivery and advanced protection against DDoS and web attacks
https://tempesta-tech.com/
GNU General Public License v2.0
620 stars 103 forks source link

Multiple warnings on non-null `sock->sk_security` in `tempesta_new_clntsk()` #1941

Open osevan opened 1 year ago

osevan commented 1 year ago

[9226053.972379] RSP: 002b:00007fff5edf4ea8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [9226053.972380] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0b9fca1ac3 [9226053.972381] RDX: 0000000000000010 RSI: 00007f0b9d261080 RDI: 0000000000000007 [9226053.972381] RBP: 0000000000000007 R08: 00007fff5edf4f60 R09: 00007fff5edf5268 [9226053.972382] R10: 000000000000eb18 R11: 0000000000000246 R12: 0000000000000002 [9226053.972383] R13: 00007fff5edf503c R14: 0000000000000010 R15: 00007f0b9d261080 [9226053.972385] ---[ end trace ac4c42601a23a088 ]--- [9226054.126052] ------------[ cut here ]------------ [9226054.126060] WARNING: CPU: 4 PID: 1751096 at tempesta_new_clntsk+0x3b/0x50 [9226054.126061] Modules linked in: tcp_diag udp_diag inet_diag btrfs blake2b_generic xor raid6_pq ufs qnx4 hfsplus hfs minix msdos jfs xfs zfs(POE) spl(OE) tcp_cubic binfmt_misc nft_counter xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_tcpudp nft_compat nf_tables libcrc32c nfnetlink veth bochs_drm drm_vram_helper amd_energy drm_ttm_helper crct10dif_pclmul ghash_clmulni_intel aesni_intel ttm bridge stp llc crypto_simd drm_kms_helper cryptd glue_helper cec snd_pcm rc_core snd_timer fb_sys_fops snd input_leds soundcore serio_raw syscopyarea pcspkr joydev sysfillrect sysimgblt qemu_fw_cfg mac_hid drm ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul psmouse virtio_blk virtio_scsi virtio_net net_failover failover i2c_piix4 pata_acpi floppy [9226054.126119] CPU: 4 PID: 1751096 Comm: php-fpm Tainted: P W OE 5.10.35-le #1 [9226054.126120] Hardware name: netcup KVM Server, BIOS RS 2000 G9.5 02/12/2023 [9226054.126123] RIP: 0010:tempesta_new_clntsk+0x3b/0x50 [9226054.126126] Code: db 55 ce ff 48 8b 05 8c 71 3b 02 48 85 c0 74 1e 48 89 ef 48 8b 00 e8 c4 04 9f 00 41 89 c4 e8 7c ac ce ff 5d 44 89 e0 41 5c c3 <0f> 0b eb d1 45 31 e4 e8 69 ac ce ff 5d 44 89 e0 41 5c c3 66 90 41 [9226054.126127] RSP: 0018:ffffb028401b4d40 EFLAGS: 00010286 [9226054.126129] RAX: 0000000000000218 RBX: ffff944b33abe040 RCX: 000000000000ffd7 [9226054.126131] RDX: 0000000000000058 RSI: 000000000000ffff RDI: ffff944ba0343480 [9226054.126132] RBP: ffff944ba0343480 R08: 0000000000000000 R09: ffffffff8e3290c0 [9226054.126134] R10: ffffffff8ea47100 R11: 0000000000000000 R12: ffff944ba0343480 [9226054.126136] R13: 0000000000000000 R14: ffff944961433690 R15: ffff9449f1865000 [9226054.126141] FS: 00007f0b9d5fa9c0(0000) GS:ffff944c6fd00000(0000) knlGS:0000000000000000 [9226054.126142] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

full log here : kernelpanic.txt

.config file here : kernel_config.txt

krizhanovsky commented 1 year ago

Hi @osevan ,

thank you for the bug report! Did you run the latest Tempesta FW master/0.7 release? Could you please provide Tempesta configuration? Also it would be very helpful if you could share any information about the workload.

IIRC I saw such warning on something like a dirty restart or kernel misconfiguration. Probably we should harden the start script or Kconfigs...

osevan commented 1 year ago

I did that on latest ubuntu source release.

I compiled with above .config myself

osevan commented 1 year ago

https://github.com/tempesta-tech/tempesta/archive/refs/tags/ubuntu-22/0.7.0.zip

osevan commented 1 year ago

Tempesta lms not loaded, only kernel is started.

In Debian bullseye.

osevan commented 1 year ago

And btw,

Im using tempesta kernel, but not module, Because i dont know how to proxy to nginx new http3 funtionality.

Actual state: Im using nginx http3 module for quic connections without loading tempesta module.

What i want is : tempesta listening for http2 and http3 on port 443 and proxying or connecting to directly via udp datagram http3 to Nginx http3 sockets .

Tempesta and nginx connection should run over http3

krizhanovsky commented 1 year ago

@osevan thank you for the additional information.

I guess some other security module uses sk_security and tempesta_new_clntsk() being called under CONFIG_SECURITY_TEMPESTA sees the non-null pointer.

Need to figure out which module from the provided config does this. Also please grep other possible security modules using sk_security and patch Kconfig for CONFIG_SECURITY_TEMPESTA to disable the modules or adjust https://github.com/tempesta-tech/tempesta/wiki/Install-from-Sources requiring to disable the modules manually.